Most active commenters
  • grishka(3)

←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 14 comments | 20 Oct 20 15:51 UTC | HN request time: 1.387s | source | bottom
Show context
eptcyka ◴[20 Oct 20 16:14 UTC] No.24839101[source]
Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?

replies(22): >>24839205 #>>24839226 #>>24839281 #>>24839287 #>>24839352 #>>24839401 #>>24839503 #>>24839892 #>>24840087 #>>24840150 #>>24840234 #>>24840673 #>>24840752 #>>24841372 #>>24841670 #>>24842254 #>>24842446 #>>24843973 #>>24843982 #>>24845295 #>>24845368 #>>24847526 #
dylan604 ◴[20 Oct 20 16:41 UTC] No.24839503[source]
Apple touted the T2 chip as the bee's knees in security. Now, we have a vulnerability that cannot be defended against. However, Apple went all in on the security of this T2 chip so that you cannot replace the SSD (besides the method to manufacture). I appreciate the desire at making a device difficult for a bad actor to get to your data, but they epicly failed and ultimately only made an user-hostile device. Oh, and the laptops with these chips also had the world's worst keyboard. Absolute trash.
replies(8): >>24839773 #>>24840191 #>>24840273 #>>24840861 #>>24841024 #>>24842626 #>>24842828 #>>24843964 #
1. grishka ◴[20 Oct 20 18:38 UTC] No.24840861[source]
> I appreciate the desire at making a device difficult for a bad actor to get to your data

That's what FileVault is for. I don't understand what's the problem T2 is trying to solve by its existence. Being able to use something else to read the data from a drive you pulled out of your computer, after decrypting it with your password, is a feature, not a bug. T2 is a regression, not an improvement in security. You can't call it a security product if you keep the master key, which Apple does.

replies(3): >>24841398 #>>24843832 #>>24925093 #
2. derrick_jensen ◴[20 Oct 20 19:26 UTC] No.24841398[source]
One of the value props was the inability to reset and resell if it were lost or stolen. Now that it’s cracked there is more of an incentive to not try and find the owner.

As for actual data security you are probably right

replies(2): >>24841580 #>>24843893 #
3. Siira ◴[20 Oct 20 19:43 UTC] No.24841580[source]
Is the crack in hardware or software? Any links on it? I thought the iPhones at least could not be reset by thieves?
replies(3): >>24842622 #>>24842687 #>>24844928 #
4. jeroenhd ◴[20 Oct 20 21:39 UTC] No.24842622{3}[source]
A demo of the T2 hardware exploit on iMacs can be found here: https://blog.t8012.dev/plug-n-pwn/

From what I could find, the encryption keys of the T2 are still secure but the OS running on it is not. Wiping the SSD and/or repairing another might be enough to resell the device without any locks but I'm not 100% sure about that.

5. lioeters ◴[20 Oct 20 21:48 UTC] No.24842687{3}[source]
> The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10.

> ..Using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

> Since sepOS/BootROM is Read-Only Memory for security reasons, interestingly, Apple cannot patch this core vulnerability without a new hardware revision.

Crouching T2, Hidden Danger (2020-10-05) https://ironpeak.be/blog/crouching-t2-hidden-danger/

6. jiveturkey ◴[21 Oct 20 00:44 UTC] No.24843832[source]
> I don't understand what's the problem T2 is trying to solve by its existence.

watch the 2 security briefings that Apple delivered at black hat. i think they are 3 years apart and each touched on different aspects. i might be misremembering and T2 is covered in just one of them.

7. grishka ◴[21 Oct 20 00:56 UTC] No.24843893[source]
> One of the value props was the inability to reset and resell if it were lost or stolen.

It's sure one of those nice to have features, but there's no good reason why it has to be mandatory like it is. All in all, having a device purposefully retain some information when you factory reset it is user-hostile.

The "lost or stolen" argument also hardly holds for desktop computers like Mac Pro or Mac Mini or iMac, yet they still have T2s in them.

replies(2): >>24843967 #>>24845075 #
8. hayksaakian ◴[21 Oct 20 01:14 UTC] No.24843967{3}[source]
It seems like this is a feature designed to shrink the "used" market for Apple products -- and not a user benefiting feature.
replies(1): >>24844092 #
9. grishka ◴[21 Oct 20 01:42 UTC] No.24844092{4}[source]
But one of the things about Apple products that makes people okay with the exorbitant pricing is the resale value. I thought Apple themselves realized this?
replies(1): >>24866452 #
10. Polylactic_acid ◴[21 Oct 20 05:13 UTC] No.24844928{3}[source]
Every device up to the iphone X has been cracked btw so the factory reset protection can be bypassed.
replies(1): >>24857504 #
11. threeseed ◴[21 Oct 20 05:42 UTC] No.24845075{3}[source]
> The "lost or stolen" argument also hardly holds for desktop computers

Why ? People's houses get broken into all the time.

And probably 99.999% of laptops never leave a person's house.

12. Siira ◴[22 Oct 20 13:00 UTC] No.24857504{4}[source]
Can you provide some links?
13. thewileyone ◴[23 Oct 20 06:02 UTC] No.24866452{5}[source]
No, they want both you and the potential pre-owned Mac buyer to buy a new device each.
14. ◴[28 Oct 20 22:52 UTC] No.24925093[source]